The server was not starting. As a result, the dnsmasq service failed to
start, and the playbook thus failed to run when using the vpn role.
This patch corrects the configuration per instructions from
https://help.ubuntu.com/community/OpenVPN.
OpenVPN PAM configuration moved up to reduce server bouncing as the
playbook runs. The dependency on service (re)starts between openvpn and
dnsmasq works but feels brittle.
Per discussion on #429 (after the merge). This project is about encouraging users to run services themselves and not rely on for-profit corporations such as Google.
* Update OpenVPN role to generate self-contained "unified" .ovpn
profiles
* The role now generates .ovpn profiles with embedded CA, certificate,
key, and HMAC firewall key information. These .ovpn profiles are
compatible with OpenVPN for iOS and Android, and only a single file
needs to be transferred to your mobile device.
* Added explicit route information to the .ovpn profile
* Removed unicode char from task name (ansible 1.3 doesn’t like it)
* Use ansible sysctl module instead of lineinfile
* Wait for only 5 seconds (for fully automated deploy)
Updated the OpenVPN role so certificate expiration is handled
correctly. The number of days that a certificate will be considered
valid is now a user-controlled variable and is set to five years by
default. (Fixes Issue #87)
* Add an openvpn_server variable
* Move ${openvpn_client}.{key,csr,crt} to
${openvpn_client}/client.{key,csr,crt}
* Generate ${openvpn_client}/${openvpn_server}.ovpn config file
* Copy over a self contained directory of file per client that can be
imported by networkmanager in ubuntu or run directly with `sudo
openvpn ${openvpn_server}.ovpn
* OpenVPN setup is now fully automated. No configuration changes
are necessary (though the defaults can easily be modified) and
all manual command line steps have been eliminated.
* Removed the dependency on easy-rsa in favor of pure OpenSSL and
OpenVPN commands that are executed by Ansible
* Improved the security of the OpenVPN configuration
* Increased the default key size to 2048
* RSA keys are only readable by root
* The cipher and authentication digest are now configurable. If
your client supports it, you can use AES-256-CBC and SHA256
instead of BF-CBC (Blowfish) and SHA1 which are the defaults.
Or you can be a really cool, paranoid, crypto hipster and
use CAMELLIA-256-CBC and SHA512 with an RSA key size of 4096.
* Enabled "HMAC firewall" functionality using the tls-auth option
and automated the generation of the 'ta' key that it depends on
* The OpenVPN daemon becomes an unprivileged user after it starts
* Automated the retrieval of the files that clients will need in
order to connect to OpenVPN
* A pause prompt outputs basic configuration information after the
role has finished running
* Variables are referenced using the new Ansible variable format
(e.g. {{ var }} instead of $var)
* Added a flush_handlers command to the role that ensures OpenVPN
will restart prior to dnsmasq (fixes issue #63)
* Fixed two bugs that were preventing packet forwarding for IPv4
from being enabled correctly
That way the default values will not be applied by mistake. The user
needs to uncomment the lines from `vars/users.yml` and set them.
Also renamed openvpn variables.
Refs #39